Skip to main content
Skyhigh Security

Lambda Prerequisites

Before you can begin to use Lambda to create custom rules, you need to update the IAM role that grants Skyhigh CASB permissions, and you'll need to update permissions to allow a trust relationship so Skyhigh CASB can assume a role in your S3 buckets.

Update IAM Role

Copy and paste the following JSON to update the IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1510661968000",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:InvokeFunction",
                "lambda:ListFunctions",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

 

Edit Trust Relationship

Invoking functions in Lambda and uploading scripts requires additional permissions to be assigned to the Skyhigh CASB role in IAM.

  1. Navigate to IAM and create a new policy called SHN_Lambda.
  2. Copy and paste the following JSON to edit the trust relationship.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::522462218264:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "997131"
        }
      }
    }
  ]
}
  • Was this article helpful?